From 38149bb048d9833cc3cf9a13cbff5300fbed36ef Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Fri, 12 Apr 2013 15:54:31 +0200
Subject: http: escape unsafe characters in request path

Make http.request() and friends escape unsafe characters in the request
path. That is, a request for '/foo bar' is now escaped as '/foo%20bar'.

Before this commit, the path was used as-is in the request status line,
creating an invalid HTTP request ("GET /foo bar HTTP/1.1").

Fixes #4381.
---
 lib/http.js | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'lib/http.js')

diff --git a/lib/http.js b/lib/http.js
index ac6b1c6bf7..f6a9b7d4f6 100644
--- a/lib/http.js
+++ b/lib/http.js
@@ -1774,6 +1774,11 @@ ClientRequest.prototype.clearTimeout = function(cb) {
 exports.request = function(options, cb) {
   if (typeof options === 'string') {
     options = url.parse(options);
+  } else if (options && options.path) {
+    options = util._extend({}, options);
+    options.path = encodeURI(options.path);
+    // encodeURI() doesn't escape quotes while url.parse() does. Fix up.
+    options.path = options.path.replace(/'/g, '%27');
   }
 
   if (options.protocol && options.protocol !== 'http:') {
-- 
cgit v1.2.3